<html>
<body bgcolor="silver">
<title>Four ways Ubiquiti Networks is creatively violating the GPL</title>
<h1>Four ways Ubiquiti Networks is creatively violating the GPL</h1>
<table>
<tr>
<td>
<font size="3">
<a href="https://www.ubnt.com">Ubiquiti Networks</a>
is a company which makes long-range wireless equipment. Admittedly, you can do
some
<a href="http://www.gizmag.com/go/7878/">
pretty amazing stuff</a>
with it, but the company has a dark history of
<a href="http://www.girardgibbs.com/blog/ubiquiti-the-latest-in-a-string-of-tech-company-lawsuit-investigations/">
securities fraud</a>,
<a href="http://www.unitedagainstnucleariran.com/company/ubiquiti-networks">
violation of U.S. sanctions</a>,
<a href="http://www.mofo.com/resources/news/2013/02/morrison--foerster-wins-dismissal-of-counterclai__">
trademark and copyright lawsuits</a>
and
<a href="http://www.faqs.org/patents/app/20140143374">
software patents</a>,
which isn't as amazing.
<p>
In addition to this, they have been violating the GPL.
However, because they did it creatively, most people don't know about it, and
Ubiquiti <i>still hasn't come into compliance</i>.
<p>
Here are four ways that they have succeeded in making the violations hard to
notice, and even harder to act upon.
<p>
</font>
</td>
</tr>
<tr>
<td>
<font size="5">
1. Giving the appearance of compliance
<p>
<img src="GPL_notice.png" alt="'You can find the complete and corresponding source in the GPL archive.'">
</font>
</td>
</tr>
<tr>
<td>
<font size="3">
Ubiquiti had a website set up where you can download tarballs purportedly
containing all GPL source for each and every firmware release. (I can't find it
any more, but that doesn't mean that it isn't still there.) When you look
through these tarballs, they <i>appear to be complete</i>, and there are build
instructions which allow you to make your own custom firmware.
<p>
It's only when you look closer that you start to notice problems, such as...
</font>
</td>
</tr>
<tr>
<td>
<font size="5">
2. Refusing to provide the source to their modified bootloader, even
though they made changes that introduced security vulnerabilities
<p>
<img src="https://upload.wikimedia.org/wikipedia/commons/thumb/2/23/Schlage_everest_C123_key_blanks.jpg/225px-Schlage_everest_C123_key_blanks.jpg" alt="Security keys">
</font>
</td>
</tr>
<tr>
<td>
<font size="3">
Up until version 5.5.4 of Ubiquiti's airOS, the locally-modified
<a href="http://www.denx.de/wiki/U-Boot/">u-boot</a>
bootloader contained a
<a href="https://community.ubnt.com/t5/Installation-Troubleshooting/AirOS-and-Security-DUMP-of-configuration-files-with-TFTP-or/m-p/921558#M66758">
security issue</a> 
- It was possible to extract the plain-text config from devices running the
firmware, <i>without leaving a trace</i>. And the plain-text config contains
<i>unencrypted WPA/WPA2/RADIUS passwords</i>.
<p>
Even worse than this security issue, was Ubiquiti's response to it. Namely,
they:
<ul>
<li>Refused to provide the source code, even though u-boot is under the GPL</li>
<li>Didn't fix the security issue for a long time after it was publicly
disclosed</li>
</ul>
<b>To this day, Ubiquiti still has not provided the u-boot source code.</b>
</font>
</td>
</tr>
<tr>
<td>
<font size="5">
3. Providing source code to <u>a</u> version of Linux, just not the one that they
actually ship, and hoping that nobody notices
</font>
<table>
<tr>
<td>
<img src="https://upload.wikimedia.org/wikipedia/commons/thumb/3/35/Tux.svg/207px-Tux.svg.png"></img>
</td>
<td>
<img src="https://upload.wikimedia.org/wikipedia/commons/thumb/8/8b/Allendux.svg/204px-Allendux.svg.png"></img>
</td>
</tr>
<tr>
<td><small>Ubiquiti Source</small></td>
<td><small>Ubiquiti Binaries</small></td>
</tr>
</table>
</td>
</tr>
<tr>
<td>
<font size="3">
It would be natural to think that the binaries that Ubiquiti provides were
compiled from the source code that Ubiquti provides. As it turns out, for a
large number of their releases, <i>the kernel source given does not correspond
to the kernel in the official firmware images</i>.
<p>
As evidence, consider that in
<a href="http://ubnt.com/downloads/firmwares/XN-fw/v5.5.4/XM.v5.5.4.16501.130308.1015.bin">
version 5.5.4 of the AirMax firmware</a>,
the kernel was modified such that
the MTD partitions would be read only, however this change cannot be found in
the
<a href="http://www.ubnt.com/downloads/firmwares/XN-fw/v5.5.4/GPL.UBNT.v5.5.4.tar.bz2">
corresponding kernel patches or source</a>.
<p>
<hr>
<b>Update:</b> Some people have expressed doubt that this is done in the
kernel, and could have been done in userspace. In response, I would like to
note a violation that is easier to verify. ag7240-eth.ko is a binary-only
kernel module contained in Ubiquiti's firmware. Instructions on how to confirm
this are <a href="instructions.html">here</a>.
<hr>
<p>
Such practices make finding violations extremely difficult, and we can't know
for certain that they haven't done this with anything else in the GPL tarball.
It's possible that this was just a mistake, but remember that
<a href="https://community.ubnt.com/t5/airOS-SDK-Custom-Development/No-more-SDK/m-p/440613#M1606">
people</a> have
<a href="http://community.ubnt.com/t5/airOS-SDK-Custom-Development/GPL-archive-missing-components/td-p/409238">
complained</a>
about this without much of a response.
<p>
And speaking of complaining...
</font>
</td>
</tr>
<tr>
<td>
<font size="5">
4. Dragging out GPL code requests for months on end, then inexplicably going
silent
<p>
<img src="https://upload.wikimedia.org/wikipedia/commons/thumb/5/5b/Bureaucracy_is_a_Challenge_%284669115193%29.jpg/180px-Bureaucracy_is_a_Challenge_%284669115193%29.jpg" alt="Bureaucracy is a challenge to be conquered with a righteous
attitude, a tolerance for stupidity, and a bulldozer when necessary">
</font>
</td>
</tr>
<tr>
<td>
<font size="3">
In case you think that I am being mean to Ubiquiti by going public, please note
that
I have been trying to contact Ubiquiti for the past year about the issue of
the u-boot source code. You can see my attempts
<a href="145960.txt">here</a>,
<a href="116975.txt">here</a> and
<a href="infoteam.txt">here</a>.
<p>
In fact,
<a href="copyrightholder.txt">
I even got a copyright holder of u-boot to ask for the source</a>,
and they still haven't provided it.
<p>
From my conversations with Ubiquiti, I have found that they claimed that it's
alright to refuse to provide source code to GPL-licensed software if "This
decision was taken with the security of the users in mind". Furthermore, my
conversations were endlessly delayed by the supposed necessity to forward my
query to another, unnamed, team. 
<p>
And ultimately, the relevant team never responded, hoping that I would simply
forget about it or give up.
<p>
However, if we want the GPL to retain its power, this is precisely what we
cannot do. If you can spare a minute, please do any or all of the following
so that we can retain the GPL's power to help the community:
<ul>
<li>Raise awareness - upvote it, send it to friends or write a blog post about
it</li>
<li>Write to Ubiquiti requesting the source - their email addresses are
support@ubnt.com and info@ubnt.com. You should try both.</li>
<li>Become a member of the <a href="https://sfconservancy.org">
Software Freedom Conservancy</a>
- they work to
<a href="https://sfconservancy.org/news/2015/mar/05/vmware-lawsuit/">
enforce the GPL</a>
and they need your support.
</li>
<li>Send me an email telling me what you've done. My email address is
riley@openmailbox.org</li>
</font>
</td>
</tr>
</table>
<hr>
<small>
The
<a href="https://commons.wikimedia.org/wiki/File:Schlage_everest_C123_key_blanks.jpg">
image of the keys</a>
is Copyright 
<a href="https://en.wikipedia.org/wiki/User:Cantaloupe2">
Cantaloupe2</a> at
<a href="https://en.wikipedia.org/wiki/">
English Wikipedia</a>, CC BY-SA 3.0.
<br>
The
<a href="https://commons.wikimedia.org/wiki/File:Tux.svg">
image of Tux without glasses</a>
is Copyright
<a href="http://www.isc.tamu.edu/~lewing/">
Larry Ewing</a>,
<a href="http://www.home.unix-ag.org/simon/">
Simon Budig</a>
and <a href="mailto:anja@gerwinski.de">
Anja Gerwinski</a>,
and can be used provided that attribution is given.
<br>
The
<a href="https://commons.wikimedia.org/wiki/File:Allendux.svg">
image of Tux with glasses</a>
is Copyright
<a href="https://commons.wikimedia.org/wiki/User:Subcommandante">
Subcommandante</a>
at <a href="https://commons.wikimedia.org">
Wikimedia Commons</a>, CC BY-SA 3.0
<br>
The
<a href="https://commons.wikimedia.org/wiki/File:Bureaucracy_is_a_Challenge_%284669115193%29.jpg">
bureaucracy quote photo</a>
is Copyright
<a href="https://www.flickr.com/people/18713399@N00">
Ben Woosley</a>, CC BY-SA 2.0.
<br>
The text was written by 
<a href="mailto:riley@openmailbox.org">
Riley Baird</a>
(me). I, Riley Baird, the copyright holder
of the text on this webpage, hereby release this text into the public domain.
This applies worldwide. In case this is not legally possible, I grant any
entity the right to use this work for any purpose, without any conditions,
unless such conditions are required by law.
</small>
</body>
</html>
